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1  Introduction 

This  document  has  been  written  in  support  of  a  research  project  to  publicly  demonstrate 
and  document  how  a  high  assurance  product  can  be  developed  and  distributed.  A  high 
assurance  product  is  one  for  which  its  users  have  a  high  level  of  confidence  that  its 
security  policies  will  be  enforced  continuously  and  correctly.  Such  products  are 
constructed  so  that  they  can  be  analyzed  for  these  characteristics.  Lifecycle  activities 
ensure  that  the  product  reflects  the  intent  to  ensure  that  the  product  is  trustworthy  and  that 
vigorous  efforts  have  been  made  to  ensure  the  absence  of  unspecified  functionality, 
whether  accidental  or  intentional. 

This  document  describes  the  policy  and  high-level  processes  for  the  distribution  of  the 
TCX  product  to  external  users.  This  document  is  driven  by  the  TCX  Life  Cycle 
Management  Plan  (LCMP)  [1],  the  Configuration  Management  Plan  [2],  and  the  Quality 
Assurance  Plan  [3].  This  document  provides  the  framework  for  the  Integration 
Procedures  and  the  Delivery  Procedures  identified  in  the  LCMP.  Some  of  the  concepts 
described  in  this  document  were  developed  in  a  student’s  Masters  thesis  [4]. 

This  is  a  preliminary  design  for  product  distribution;  it  has  not  been  tested  with  a  product 
actually  distributed  to  end-users. 

2  The  Approach  to  Trusted  Distribution 

An  important  aspect  of  high  assurance  is  the  verification  that  the  product  that  was 
received  by  the  customer  is  the  product  that  was  built  by  the  developer.  Distribution  can 
be  assured  through  the  proper  use  of  a  PKI,  as  shown  in  Figure  1 . 


CA  Web  Server 


The  software  product  shall  be  signed  with  a  physically  protected  private  key.  The 
complementary  public  key  shall  be  signed  by  a  recognized  Certificate  Authority  (CA) 
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The  CA  public  key  shall  be  used 
to  verify  the  integrity  and 
validity  of  the  software 
organization’s  public  key.  The 
organization’s  public  key 
together  with  the  product 
signatures  are  then  used  to  verify 
the  integrity  of  the  distributed 
software  product. 

3  From  Creation  to  Distribution 

Figure  2  shows  an  expanded  view  of  the  flow  described  in  [3],  showing  the  additional 
high-level  steps  for  distribution. 

When  the  CCB  approves  a  submission,  the  CM  staff  imports  the  material  into  the  CM 
Repository  [2],  As  a  separate  action,  the  Project  Manager  must  also  approve  the  public 
release  of  material.  The  Project  Manager  compiles  a  list  of  the  items  to  be  publicly 
released  on  a  Releasable  Items  List  (RIL),  which  constitute  the  product.  The  RIL  is  then 
given  to  the  CM  staff. 

A  person  acting  as  an  assigned  Release  Agent  (RA)  will  request  material  from  CM.  CM 
will  comply  as  long  as  the  requested  items  are  on  the  RIL  and  the  person  is  designated  as 
an  RA  by  the  Project  Manager.  The  requested  items  are  cryptographically  signed  by  CM 
when  the  RA  requests  the  items.  A  record  of  all  signatures  is  maintained  by  the  CM  staff. 
The  items  and  the  signatures  are  given  to  the  RA.  Key  pairs  may  be  generated  for  the  RA 
if  it  is  determined  that  post-CM  packages  need  to  be  created.  The  RA  will  arrange  to  have 
the  requested  items  imported  into  the  TCX  web  server,  along  with  their  signatures. 


Rationale:  Public  key  certificates  must  be 
signed  by  a  recognized  authority,  i.e.,  they 
shall  not  be  self-signed.  Self-signed  certificates 
would  provide  an  opportunity  for  certificate 
forgery  and  therefore  an  opportunity  to  replace 
all  or  part  of  the  distributed  items  without 
detection. 


2 


TCX:  Trusted  Distribution  Plan  -  Initial  Design 


NPS-CAG-1 4-010 


Figure  2  The  Flow  to  Distribution 


4  Notification  Setup  During  Distribution 

In  the  event  that  security-relevant  bugs  are  found  after  a  product  has  been  distributed, 
then  it  shall  be  necessary  to  infonn  the  users  of  such  bugs  and  the  steps  being  taken  to 
remediate  them.  Direct  notification  is  challenging  because  of  the  nature  of  an  anonymous 
web  server  download.  However,  when  a  user  is  about  to  download  the  product  from  the 
web  server,  they  shall  be  given  the  opportunity  to  optionally  register  an  e-mail  address 
for  such  bug  notifications.  In  addition,  the  web  server  should  provide  information  about 
reported  bugs. 
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